oknets10 03-24-2008 03:03 AM

iptables problem after del add a rule
Hi all,

I'm adding an SNAT rule and doing ping to check it, and it work fine.
Then I'm deleting the rule and adding it again (without stopping the ping) and the ping will not start work again, I must stop and start the ping in order to the iptables (and ping) work.

Any idea why ? and how to solve it ?

sarajevo 03-24-2008 03:09 AM

Hi, give us a iptables code you have :)
then we can write more, right ?

oknets10 03-24-2008 03:12 AM


iptables -t nat -A POSTROUTING -s -j SNAT --to

That's all.

sarajevo 03-24-2008 03:35 AM

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT # you set start rules. Drop everything in INPUT and FORWARD chain, and accept all in OUTPUT chain ( do you understand chains ? )

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT # Accept all from lo interface

I suppose you have this rule on some machine with two network interfaces ?

So, using this rule
iptables -t nat -A POSTROUTING -s -j SNAT --to

you allow packets originated from network to have source address as they are originating from host
You can allow transfer packets from one interface to antoher with the folowing rules :

iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT ...
this will allow forward from inside net to outside.

iptables -A FORWARD -o $other_iface -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED, RELATED -j ACCEPT

also read http://iptables-tutorial.frozentux.n...-tutorial.html

and more,

By the way I do not understand, why you have to stop it when once in work.

oknets10 03-24-2008 04:13 AM


Yes, the rule is on a machine with two interfaces.
You suggest a different way for the same thing, but four rules instead of one. yours is more generic, but I don't need it.
Thanks for your help.

